Quick contact

* Name

* Email

* Message

Subscribe for updates

* Name

* Email

Privileged Passwords. The Easiest Way Into Your Business?

Attackers don’t break-in when they can log-in

In IT security, the language we use can be misleading. We talk about attacks, breaches, and hacking our defences. These sound like violent acts – where an intelligent attacker outsmarts and out-thinks our security.

But that’s not always the case. In fact, most incidents are a whole lot quieter than that.

Attackers don’t always hack through layers of sophisticated security. Sometimes, they just use the password.

From individual users to service accounts, the privileged passwords you use are the easiest way into your business. They give people widespread access to your most confidential systems – the ones that support your everyday business and store your most private data.

Service accounts that provide a security context for services. They’re not users specifically, and that means they’re often used from multiple applications and devices.

Application accounts that secure the connection between two applications.

In the right hands, these are the passwords that help systems to work correctly and users to get on with what they need to do. But, in the wrong hands, they provide access to a wide range of functionality and data.

Take leading retailer Target, who had 40 million credit card numbers and personal information for as many as 70 million people stolen in November 2013. Their estimated losses were at $420 million according to Gartner. And the sophisticated, advanced attack methodology that was used? Attackers simply logged in.

They took privileged passwords from one of Target’s HVAC suppliers – a considerably easier target – then used their widespread access to infect Target’s network with a trojan.

Target’s passwords, when turned against them, posed a serious security threat. But, of course, those passwords are an essential part of business. There’s no getting around their existence – we’ll always need to secure our infrastructure using passwords.

So what steps can we take to secure the passwords themselves?

Why your passwords aren’t protected

There’s a lot you can do to protect your privileged passwords.

You can enforce robust policies – like changing passwords on a regular basis, or enforcing a certain level of password strength. You can implement processes that keep the window of opportunity for misuse small. You could even use something like dual control to ensure that no single user knows your privileged passwords, with each part of it defined by a different administrator.

But here’s the truth of it. That stuff is difficult and time-consuming and usually involves huge spread sheets.

We’re all working with limited resources. We’re trying to secure a huge range of devices, in a world where people bring their own laptop to work or take their operating system away with them on a USB drive. The threats continue to evolve. All of our resources go into keeping up.

That doesn’t mean you should do nothing. That just means you should look to automate the process as much as possible.

Thycotic Secret Server automatically discovers privileged passwords around your infrastructure, and consolidates them in a secure vault with two-factor authentication and AES 256 encryption. All of your policies are enforced automatically, from password complexity to change frequency.

And, crucially, every interaction with a password is monitored and logged. Regular reports can be generated with a few clicks, which is ideal for the demands of compliance standards like PCI DSS, HIPAA, and SOX.

So you’ll always know who is using a password – and what they are using it for.

The Latest from Alpha Gen:

We live in an imperfect world. It’s a place where cyber criminals target unsuspecting businesses to steal data, disrupt services and even extort money. A place where your technology is always under attack and risk is ever-present. Why, then, would anyone expect cyber security to be perfect? Read more...

Recent Articles:

The fundamentals of successful least privilege adoption

Avoid the common pitfalls that get in the way of Least Privilege Adoption with Thycotic’s latest eBook. You’ll get a complete guide to what constitutes best practice and where even the best-intentioned programmes fall apart. Now is the time to make your least privilege implementation a success.

Alpha Generation Distribution Grows Its Vendor Portfolio with Lepide

Alpha Generation Distribution Announces New Partnership with CoSoSys

In a climate of rising compliance and hard-to-manage endpoints, Alpha Generation partners with CoSoSys to bring robust endpoint protection to the UK market.. An established leader in the space, CoSoSys provides Endpoint Protector [...]